An international certification in ISO 27001 for information security management certifies Cyber-Duck to handle sensitive data. Meaning we can now produce web applications that handle confidential information for the likes of government organisations, blue-chip companies, and start-ups.

The plan, do, check, act mode (PDCA) is integral to both ISO27001 and ISO9001. It was used by the Cyber-Duck team at the very beginning to instigate the planning and viability of the security standards.

In addition to the 27001 certification, Cyber-Duck is proud to have become Cyber Essentials Plus certified at network security, in line with UK government standards. As a digital agency, Cyber-Duck is also compliant with the data protection act (DPA) and follows the Information Commissioner guidelines (ICO).

What is ISO:27001?

ISO 27001 is a specification for managing the confidentiality, integrity and availability of data in a business. At its core, it includes a framework for managing business risk through an Information Security Management System (ISMS). The ISMS not only helps security and data management, it also builds upon Cyber-Duck’s ISO 9001’s standards. This standard focuses on quality management around risk and mitigation to prevent errors happening from the outset, ensuring continual improvements. At the heart of 27001 are procedures and controls that manage and protect physical, digital and technical assets, establishing they are robust and secure. The focus of 27001 is on the team, ensuring they are all informed and educated. Due to this Cyber-Duck has created an internal training and testing programme ensuring all staff are fully aware and compliant with the standards.

Security is in our DNA

Security around data and information is vitally important for many of our clients, therefore is of vital importance to us too. Security vigilance for Cyber-Duck is not a new thing. Since our inception, Cyber-Duck has implemented industry leading security protocols around password procedures, servers, physical security and data security. Our Farringdon office is already within a building that follows ISO 27001 property management security standards. Our Hertfordshire office is an isolated building with its own infrastructure, including CCTV, intruder lights and police monitored alarm systems. Even before ISO 27001, Cyber-Duck utilised industry leading tools for authentication (including OKTA single sign-on service), and enterprise password management tools.

On top of all of this, Cyber-Duck has always been audited quarterly by an independent information technology specialist. Selected websites regularly undergo penetration testing as part of client retainer plans. Pushing forward with the ISO 27001 was a no-brainer. We were already following a lot of its security protocols, but as with everything, we were keen to constantly improve and push ourselves for the benefit of our clients.

Ongoing risk assessment accompanies Cyber-Duck’s mission to analyse risk and prevent issues before they become problems. By looking at the level of risk and ensuring each risk item is owned directly by an individual (DRI).

The scope of ISO 27001 at our digital agency

The scope of the Cyber-Duck’s information security management system encompasses everything we do. From the operational aspects of the business to all digital production that the agency undertakes. This includes web development, hosting, DevOps and the delivery of multi-channel marketing campaigns. The ISMS encompasses all company and client data as well as HR records at both our offices.

The scope of the ISMS doesn’t stop with security management; it compliments and reinforces our ISO 9001 surrounding quality management systems (QMS). The QMS are guidelines that focus on client satisfaction through delivering quality projects, following our user centred design (UCD) processes (that derive out of ISO 9241) and our lean management, continual improvement, document versioning controls, preventative actions, and risk/mitigation policies. The scope of the ISMS processes and procedures applies to the internal team and relevant key suppliers who are vetted, selected and rated based on their own security management systems. This ties in nicely to ISO 9001’s requirements on managing and scoring suppliers based on key performance indicators (KPIs).

Cyber-Duck follows regular internal and external auditing to ensure that we always stay compliant. Many of these facets are inherently built into ISO 27001, so each ISO that Cyber-Duck has compliments the others.

At both London and Hertfordshire offices, physical and environmental security is a huge priority. Physical perimeter security, physical entry controls, secure working areas and protection against external environmental threats becomes an ongoing objective.

How Cyber-Duck implemented ISO 27001

Sylvain Reiter, Cyber-Duck’s CTO has been the linchpin of ISO 27001 from the get go. Using his experience and latitude, he worked swiftly to develop a new ISMS system, with a number of different policies. These included: business continuity policy, disaster recovery mechanisms, clean and secure desk policies, password protection policies, device inventories and an incident reporting policy. This tied nicely into ISO 9001’s focus on non-conformities (NCs) and continual improvement. The new governance system has been a catalyst for internal change, adding value to Cyber-Duck’s clients through added security and better processes.

Conclusion

Digital security starts with physical security. As Cyber-Duck has become certified in information security management, our clients will benefit from its robustness and scalable security. Our staff go through a security management training programme. ISO 27001. This helped to further improve the agency’s processes and management system in which staff are flagging risks before they become issues. We have also audited a number of different suppliers and software tools leading to improved workflows, allowing the team to focus on creativity and the secure engineering of apps and web applications.